Putting a Price on Security

Putting a Price on Security

As
the economy takes body blow after body blow, companies are struggling to do
more with less. When it comes to security, however, the cost of not doing
enough can be immeasurable.

So,
just how low can companies go?

For
many companies, slashed budgets have forced a reassessment of priorities as
well as some creative negotiating with vendors. But the question of how to save
a buck without sacrificing security has some IT professionals both scratching
and shaking their heads.

Mike
Miller, director of IS at Media General, did the latter. Miller wanted to replace
some of the 3-year-old monitoring and event correlation systems the company
uses, but, with the capital portion of his budget dropping by about 50 percent,
he will be unable to do so.

"We're
running on older stuff for a little bit longer," he told eWEEK.

On
the plus side, Media General's operational budget has remained steady, and, as
of mid-January, the company's IT security staff has not been cut.

In
the five years Miller has served in his position, the business's concerns have
shifted from regulatory compliance to malware and phishing. With the economy
being what it is, Miller said, there are no plans for any major implementations
of new technology. These days, the company is more focused on making
incremental improvements instead of broad new deployments.

Miller's
story is not unique. Still, analysts say, overall security budgets have not
been hit hard-yet.

"In
the fourth quarter of 2008, we did not see security spending plans derailed,
nor in the first two weeks of 2009," said Gartner analyst John Pescatore. "However,
I think the first quarter will be tough-the natural tendency will be to delay
spending to see if things get better in 2Q. Upgrading firewalls or IPS [intrusion prevention
systems], for example, can usually be delayed a few months with no major
impact."

A
survey by Gartner put security at No. 8 on a list of the top 10 technology
priorities for CIOs. Business intelligence was ranked first.

Other
studies show that security occupies a larger segment of IT budgets than in past
years. For example, according to a Forrester Research report titled "The
State of Enterprise IT Security 2008 to 2009," security has gone from 7.2
percent of enterprise IT budgets in 2007 to 12.6 percent in 2009.

The
study surveyed 942 North American and European companies of different sizes.
The report lists data security as the top concern among IT security groups,
with 68 percent citing it as "very important." Fifty-one percent
cited business continuity and disaster recovery as "very important."

The
very largest companies tend to spend the most on IT security-measured as a
percentage of their IT budgets, noted Forrester analyst Jonathan Penn. These companies
also tend to spend relatively heavily on staff, as a percentage of their IT
security budgets. To compensate, they are slowing down or deferring security
technology upgrades, said Penn.

"There
are certainly companies whose IT security budgets are shrinking, and many
companies face an extremely difficult climate for capital expenditures,
delaying the rollout of new products," Penn said. "Overall, IT
budgets are slowing but not declining. Across both SMBs [small and midsize
businesses] and the enterprise, IT security budgets are gaining a greater share
of the overall IT budget. In other words, IT security is slowing less than IT
in general."

Taking Creative Measures for Security

By
some measures, George Lee is one of the lucky ones. Lee is director of IT at
The Leading Hotels of the World, a hospitality organization that represents
more than 450 hotels, resorts and spas across the globe.

Like
that of some other IT leaders, his budget has seen cuts, with training and
travel being the first to go. However, the organization was able to fit in a
major revamp of its network infrastructure in 2008, putting in Cisco Systems firewalls,
switches and other upgrades.

The
move was precipitated by plans to bring the organization's financial accounting
operations in-house.

"I
was very lucky I was able to put [the security systems in] in 2008," said
Lee. "If I were confronted with that same issue, I would do my very best
to make sure that the company was protected, or get the funds to make sure the
data is safe from the outside world."

Yuval
Ben-Itzhak, CTO of security provider Finjan, said he expects to
see IT professionals watching every dollar.

"CIOs
will look for more value for every dollar they will spend," Ben-Itzhak
said. "They will look for simpler solutions that are easier to manage
while having less people on their staff."

Indeed,
tough times often call for creative measures, according to Scott Ksander, chief
information security officer for Purdue University.

"We've
been very successful at having some strategic partnerships with vendors, and
focusing in on what we wanted to do," Ksander said.

A
case in point is the negotiation with Q1 Labs to pull off a log management
project the university was planning. According to Ksander, the university
generates somewhere between 10GB and 12GB of logs a day-compressed-and that
necessitates having the right tools in place to correlate and organize log
data.

"We
have a very dispersed set of systems, and when we do incident response work, we
need a lot of log data," he explained. "As various parts of the
university are trying to cut back, they're either not hanging on to the log
data, or they don't care about it or it's not their primary focus. ... So we
put in place an initiative we wanted to do this year, which basically said, 'You
don't want to keep it, give it to us.'"

After
putting the project out for bid and receiving responses that were over budget, the
university staff sat down with Q1 Labs to come up with a way to make things
work.

"It
turns out we ended up doing some development work with the vendor, and they
gave us some quid pro quo for that, and we were able to pull this off with the
money we had," said Ksander. "I really don't want to cite a specific
number on the savings because that really doesn't compare apples to apples.
Where we ended up isn't exactly where [we] started on either side. I would
characterize the savings as very significant, however."

The
contract negotiation process started in early November and concluded very early
in January, he said, adding that work with the product will continue after
delivery.